What CVEs are a fully patched 10.5.8 *actually* vulnerable to?

[Mike Richardson]

All of these recent CVEs, for some reason, claim that every single version of OS X/macOS ever made are susceptible to the vulnerability - even when those versions of OS X do not contain the features that are exploitable.

CVE-2018-4170 concerns an issue in "sysadminctl" but that didn't even appear until at least 10.10. Yet every single one of these sites lists every single OS X version going back to 10.0.0 as being vulnerable.

This just makes it harder to tell what new exploits actually do affect the older OS versions.

This is especially dangerous on Power Macs, since the typical offered solution for new CVEs, "Upgrade to macOS 10.13.6" or whatever, has a 100% failure rate on PowerPC hardware. (of course, open source allows us to roll our own solutons to some of the issues, but not all).

 

[amagichnich]

Yet every single one of these sites lists every single OS X version going back to 10.0.0 as being vulnerable.

You have already answered your question. Still, think about it like this: you have a very old door with a very old key to open it. Newer doors use double "better" keys with better security. The old key is not compatible with the new door because it simply doesn't fit.
Now CNN titles "all doors are insecure because of bad keys" - and you trust them and therefore replace your old door with a new one with a "smart" Bluetooth lock... Anyways... Just because a website says that every version of OS 10 is affected it doesn't necessarily have to be true.
But: 10.5(.8) is NOT really secure, even though it is invulnerable to "modern" CVEs